reactd.conf

# This is a sample configuration file

# The commands will have the following env variables available:
# REACT_0 .. REACT_9: the matches from the last regular expression match, just like \0 .. \9 (only for trigger) (note: the whole line is available in REACT_0)
# REACT_KEY: the key of the threshold
# REACT_SOURCE: file where string was matched

options {
    pidfile   = "/var/run/reactd.pid"
    logdst    = stderr
    # logfile = "/tmp/reactd.log"
    logprefix = "[%F %T] "
    loglevel  = info
}

# "/var/log/messages" {
#    "FAILED su for (\S+) by (\S+)" {
#            command="/home/alan/git/reaction/scripts/ssh-ipset.sh",
#            key="\2-authenticating-as-\1",
#            trigger = 2 in 5 minutes
#    }
#            reset {
#                timeout = 10 seconds,
#                command = "/home/alan/git/reaction/reset.sh" "arg1" "arg2"
#            }
#      }
#      "(\S+) is on fire!" {
#        key="\1",
#        command="/home/alan/git/reaction/alert.sh" # command runs every time there's a match, because there's no trigger
#      }
#}

"/dev/shm/log/asterisk" {
    /log_failed_request: Request '[^']+' from '[^']+' failed for '([^:]+):\d*/ {
        # command = "/home/alan/git/reaction/scripts/sipblock-ipset.sh" "\1"
        command = "/home/alan/git/reaction/scripts/block-ipset.sh" "sipblock" "7200"
        key = "\1"
        trigger = 2 in 10 minutes
    }
}

"/dev/shm/log/sshd" {
    /authentication failure.*rhost=(\d+\.\d+\.\d+\.\d+)/ {
        # command = "/home/alan/git/reaction/scripts/ssh-ipset.sh" "\1"
        command = "/home/alan/git/reaction/scripts/block-ipset.sh" "sshblock" "3600"
        key = "\1"
        trigger = 2 in 10 minutes
    }
}

"/dev/shm/log/exim-bad" {
#    "authenticator failed for \(\[[^\]]*\]\) \[(\d+\.\d+\.\d+\.\d+)\]:.*Incorrect authentication data" {
    /authenticator failed for .*(?<!\d)(\d+\.\d+\.\d+\.\d+).*Incorrect authentication data/ {
        # command = "/home/alan/git/reaction/scripts/smtpblock-ipset.sh" "\1"
        command = "/home/alan/git/reaction/scripts/block-ipset.sh" "smtpblock" "3600"
        key = "\1"
        trigger = 1 in 10 minutes
    }
}

"/dev/shm/log/ldap-bad" {
    /IP=(\d+\.\d+\.\d+\.\d+) wrong bind password/ {
        # command = "/home/alan/git/reaction/scripts/ldapblock-ipset.sh" "arg1" "arg2"
        command = "/home/alan/git/reaction/scripts/block-ipset.sh" "ldapblock" "7200"
        key = "\1"
        trigger = 2 in 10 minutes
    }
}